For this log, you can just create a new rule for it without the decoder. You
only need the decoder if you want to extract specific values from the log
(like srcip, username, etc). An example rule would be:
<group name="cpu-stuff,syslog">
<rule id="12345" level=0">
<match>^MBM</match>
<description>Logs that start with MBM</description>
</rule>
<rule id="123456" level="10">
<if_sid>12345</if_sid>
<match>C=2500</match>
<description>C=2500 comment</description>
</rule>
</group>
Regarding the accuracy (Randy's question), it is just a way to set the
priority of a rule. All rules are accurate by default. If you set it to 0,
the rule will be assigned a lower priority and checked only if all the
other rules failed. You will see that we use that for the "bad words"
matching..
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/22/06, gentuxx <[EMAIL PROTECTED]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So, if I wanted to monitor a log that *was* a 1 line entry, but is not a
standard log, would I need to create a decoder for it in decoder.xml?
For example, I have a Windows system that is syslogging Voltage/Fan/CPU
usage data to a central syslog server (which also happens to be my ossec
server). Given a line similar to this:
Aug 21 21:38:07 192.168.0.100 MBM[Fan 1]: C=2500 LA=1500 HA=99999 L=2463
H=2518 A=2499
Would I need to create a decoder to capture the c=nnnn field? Then, I
would be able to create rules based off of that decoder?
Obviously, I'm trying to understand how the hierarchy works here (in
addition to monitoring my systems).
